Why passwords might (finally) go away

File photo. (REUTERS/Kacper Pempel)

In 2012, Wired's Matt Honan wrote about the disastrous consequences of tying your entire digital life to a string of letters, digits, and symbols. Honan is just one of countless people whose online accounts were hijacked after hackers discovered their passwords; the list of victims also contains high-profile tech executives, including Mark Zuckerberg.

For years, we've been talking about the need to replace passwords with more secure and reliable methods. As recently as last month, the United Nations accidentally revealed employee passwords on publicly shared Trello boards and in Google Docs. Even Facebook's recent hack was related to poor password-based authentication systems. And billions of stolen passwords are changing hands in dark-web markets.

And yet, passwords remain the main method of protecting online accounts.

There has been no small amount of innovation in the authentication space. In 2016, I wrote about authentication technologies that provided secure and easy-to-use alternatives to passwords, but until recently, none had achieved mass adoption.

More From PCmag

Now, though, there's hope that we can finally ditch long, complex passwords thanks to a series of regulations and open standards that ease and encourage the implementation of passwordless authentication methods in online applications.

What's Preventing Passwordless Authentication?

"The vast number of passwords needed in our daily lives have become a burden, which is why we see so many reused or weak static credentials," says Stina Ehrensvard, CEO and Founder of Yubico, which manufactures physical security keys like the Yubikey 5 NFC. "We needed to think about how to address this problem in a way that simplifies the login process while adding the highest level of security. Up until now, there hasn't really been a way to do both of those things successfully."

The vulnerabilities of passwords are not lost on the organizations that continue to use them. But before considering alternatives, they must take into account the security, usability, availability, and costs of the technology.

"The reason we haven't replaced passwords before now with something more reliable is that all the alternatives that may have been better for security or usability have not been ubiquitously available to all shapes and sizes of internet-connected devices, nor have they been cost-effective," says Brett McDowell, executive director of the FIDO Alliance, a consortium that develops authentication standards.

Also, password entry is the least expensive and easiest authentication technology to implement in new websites and mobile apps. And while alternatives such as biometric authentication technology have become more widely available on mobile devices, password entry remains the ubiquitous feature that all devices support. Removing it would prevent many users from accessing those services.

Lack of standards also makes it hard to move away from passwords. The overhead cost of adding support for dozens of different authentication technologies in client applications and backend servers is something that most organizations could not bear.

And of course, there's always the human factor. "Some companies and individuals continue to believe that they won't be affected by cyber attacks and that they are not of interest to cybercriminals. A lack of desire and resources to change existing solutions is hindering adoption of new passwordless authentication solutions," says Alex Momot, CEO of REMME, a startup developing a decentralized authentication system.

The Feds Come Knocking

In recent years, there's been an increase in awareness surrounding online security and privacy of users, especially among government agencies and regulators. While previously, organizations could've shrugged off data breaches and security incidents with few legal and financial consequences, that's no longer the case.

"Regulators are as tired of data breach headlines as anyone else, and they are starting to take action, resulting in more businesses adding strong authentication to their data protection practices," says McDowell.

Among the most relevant regulatory actions is the General Data Protection Regulation (GDPR), a set of rules that define how companies collect, handle, and secure user data. GDPR also defines standards for strong user authentication. Companies that fail to comply with the rules and protect their customers' data will be severely fined. GDPR applies to the EU jurisdiction only, but since many companies that aren't based in the EU still do business in the region, it is now considered a golden standard for security.

"At a time when more and more companies are adopting strong authentication, and more and more data breaches are caused by password compromise, it is going to be increasingly difficult for a business to make the case to a GDPR regulator that password-only authentication is appropriate security, potentially exposing their company to fines that are far more expensive than the price of moving from passwords to true strong authentication," McDowell says.

Other industry-specific regulations are more explicit about the use of authentication technology. An example is Payment Services Directive 2 (PSD2), which regulates e-commerce and online financial services in Europe and makes two-factor authentication (2FA) mandatory. PSD2 also encourages the use of security cards, mobile devices, and biometric scanners to improve the user experience without compromising security.

And the National Institute of Standards and Technology (NIST), which defines the criteria for various industries, states in its digital identities guidelines that organizations should move away from passwords and one-time passcodes and adopt modern strong authentication.

"More specifically, NIST recommends authentication in which your modern device creates and uses cryptographic private keys as your new account credentials and securely stores them to your personal device in the same way most smartphones now securely store your fingerprint data," McDowell says.

There's debate over whether government regulation will hamper or encourage innovation. But at this point, we might need a regulatory push toward the adoption of more secure authentication mechanisms.

"Governments can play a critical role in the adoption of open standards," says Ehrensvard. "Take a look at the seatbelt, for example. It too is an open standard, and its use was regulated by the government. Because of this, there are 10 times more cars on the road today but a lower total number of fatal car accidents."

Getting on the Same Page

Widespread replacement of password-only authentication needs more than regulations. Without a set of standard protocols, organizations and companies will struggle to find an authentication technology that keeps them in line with security regulations while making their applications available to their users.

That was the problem FIDO was set to solve. FIDO Authentication is based on a set of free and open technology standards, developed in partnership with the World Wide Web Consortium (W3C). The aim is to create interoperability among devices and services by enabling the entire consumer electronics industry to integrate the technology into their products and platforms.

FIDO replaces passwords with public key cryptography. This means that instead of passwords, users are identified with a pair of public and private keys. Anything encrypted with a public key can be decrypted only by its corresponding private key. When a user signs up with an online service that supports FIDO authentication, the service generates a key pair and stores the public key on its servers. The private key is stored on the user's device only. When logging in, the client application is presented with a cryptographic challenge generated with the public key, which can only be solved by the private key. Users must verify their identity with their device (through fingerprint, face, or PIN) to unlock their private key and solve the challenge.

The advantage of this model is that it provides multi-factor authentication without requiring the storage and exchange of passwords. Even if hackers manage to breach the servers of the service provider, they'll get access only to public keys, which are useless without the corresponding private keys stored on users' devices. If the hackers steal a user's device, they'll still need to bypass the local identity verification to obtain the private key. From a user's perspective, this obviates the need to memorize long, complex passwords for each account while providing superior security.

But FIDO's greater achievement is getting widespread support from the tech industry. The alliance has brought together big names such as Google, Microsoft, Amazon, and Intel to develop standards that would be easy to implement on different device types and operating systems.

"The businesses that came together to form FIDO Alliance understood that replacing passwords for online authentication could only ever become commercially viable at scale through a combination of free and open technology standards, a vastly superior user experience, and a fundamentally different approach to the security model," McDowell says.

FIDO recently released the FIDO2, an extension to its standard which adds support for public key authentication to browsers and a wide range of application frameworks. The standard is supported by Windows 10, Google Play Services on Android, and the Chrome, Firefox, and Edge web browsers. WebKit, the technology behind Apple's Safari browser, might also add support for FIDO2 soon.

"The FIDO2 standard enables the replacement of weak password-based authentication with strong hardware-based authentication that utilizes public key cryptography," says Ehrensvard, whose company Yubico is among the key members of FIDO. "This standard allows for passwordless authentication in several forms, including via USB and tap-and-go NFC, which provides an optimal user experience, and drastically improves security and productivity."

When Will Passwords Finally Go Away?

Although the industry has come a long way toward developing alternative authentication methods, passwords won't disappear overnight. "We should take into account that we have a lot of 'legacy' software and information systems. That's why it's not always possible to easily change established rules of authentication including those that are password based," says Momot, the chief executive from REMME.

Other experts such as Sandor Palfy, CTO of LogMeIn, believe passwords will remain a central facet to identifying users. He also believes the industry should focus on improving the password experience.

"Until universal coverage with multi-factor authentication (or even behavioral or contextual authentication) is available, companies need to invest in strengthening password-protected services in use across the entire organization," Palfy says.

"Remembering unique, complex passwords for all our work and personal accounts doesn't align with natural human behavior. By using tools like password managers, remembering multiple passwords should be a thing of the past, with users only having to remember one master password," says Palfy, whose company is the developer of the LastPass password manager.

But to McDowell, who has been at the helm of FIDO since 2014, the quest to root out passwords is finally reaching its final stages. "Today the passwordless future is becoming a reality, one application at a time. Within a few years, I expect password entry forms to be about as rare to find on web pages as public telephone booths are in public spaces these days, and for the same reason—we have a cost-effective, ubiquitous alternative that offers a much better user experience," he says.

This article originally appeared on PCMag.com.